How secure is your data centre?
January 18, 2022
For those with a significant stake or role in a data centre business, whether it’s for their own organisation or for others, it is important to understand that there is a very real cyber risk threatening data centre operators, creating a pre-eminent risk to their critical facility networks. Whilst some may hide behind the veil of physical security, (certain data centres mention being ‘the most secure facilities in the world’, with sophisticated multi-layer protection zones and high-end systems), ironically the IoT devices used on these networks can be used by cyber criminals to get access to the broader DCOT network.
DCOT – the weak link?
Throughout industry, Industrial Control Systems (ICS) have long been targeted with cyber crime but now, more malicious, and sophisticated strains of malware and ransomware are specifically targeting Operational Technology (OT) environments.
This is as the data centre industry develops and forward-thinking operators are using techniques and approaches typical of more complex industrial facilities to drive innovation.
Increasingly at Dial, we are seeing this because while the infrastructure in a data centre is focused on keeping the computers going, there is usually little or no focus on the security around the Operational Technology. We recommend that organisations consider reclassifying Data Centre Operational Technology (DCOT) environments to the same level or more, as corporate networks.
There is also a question around whose responsibility these networks are. Is it the engineering department because it is to do with the mechanics of the building? Is it the IT department because it has cyber written on it? Or is it security because they are in charge of protecting the building? In reality, responsibility should sit at the top of the organisation as the stakes are so high.
The true impact
The impact of any kind of security breach can be extremely damaging, both financially and through longer term damage to brand reputation. It is somewhat ironic that in the data centre world, the focus is firmly on avoiding downtime which is measured in seconds, minutes and for a serious outage, hours. When it comes to recovery from a cyber breach, though, it is measured in days, weeks, and months – it is a totally different landscape.
Financial impacts are similarly compounded. The Uptime Institute reports that one in ten major outages at a data centre costs over £1m. However, the average cost of downtime is dwarfed when we start to look at the costs associated with a cyber breach. For example, in April 2020, IT services and data centre provider, Cognizant, was hit by a ransomware attack that, it forewarned investors in July 2020, could cost it between $50m and $70m.
In addition to ransoms and operational recovery costs, there may be severe fines imposed as a result of subsequent regulatory investigation. For example, the EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for infringements. This type of regulation is already extending beyond personal data theft and is considering the impact to safety and disruption to national critical infrastructure.
However, the biggest loss to a data centre in the end is that of trust. If the very company that houses its customers’ precious IT assets has allowed a data breach in its own systems or facility infrastructure, the resultant loss in confidence can be difficult to recover from and it is not a situation that a responsible stakeholder can ignore.
An open door
The fact is that there are scores of vulnerabilities in and around the data centre facility itself, where increasingly clever hackers are able to get in and cause devastation, and where you are unlikely to be protected. Your DCOT comprises all the equipment and services embedded in your building, from your biometric, security and CCTV to your critical power and cooling, Internet of Things (IoT) devices and sensors, fire and life safety systems, remote monitoring tools, building management systems as well as control systems on multiple networks, which have many protocols and platforms such as BacNet, ModBus, SCADA, TCPIP, Distributed Control Systems (DCS), Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC).
In many cases, a building’s equipment will be at least partly maintained and serviced by external suppliers, in some cases remotely. With these engineers, from both operator and client teams entering the facilities with uncontrolled hardware, and the prolific use of IoT devices and out-of-band network facilities on plant and equipment, it is often an easy target for hackers.
Not just about data security
Whilst those of us in the data centre sector are fortunate enough to be working in a growing industry that is now essential to the fabric of society, and one of the foundations of our increasingly digital lives, we must recognise that an attack on the data centre infrastructure is an attack on all the businesses it supports, irrespective of the size, scale, or location of the facility.
This isn’t just about data security. It’s about being a core component of the technology supply chain, which increasingly contains SMEs as well as major corporates. Data centre operators could be forgiven for thinking that it’s the larger companies that are at risk of cyber attack but this simply is not true. Mid-sized organisations are essential components in any supply chain and they experienced the biggest increase in average breach cost, and smaller organisations had higher than average costs per employee. These are possibly the organisations that have taken fewer steps to protect themselves.
It will get worse
As the sophistication of the data centre infrastructure develops, and many smart building techniques integrated with control and automation systems are adopted, there is further risk that attackers will use evermore imaginative ways to find a back door even to the most highly secure, so-called ‘dark’ sites.
Our world is now about novel and new cyber attacks and never-before-seen events, and so the landscape has become massively challenging for security teams to defend. With low and slow, hard-to-detect techniques, through to machine speed attacks, where criminals weaponise AI, it is clear that human speed responses are no longer adequate.
Data centres are amongst the most critical infrastructures in society because the data held in these facilities is increasingly vital to the way communities run. They are used to support utilities, hospitals and healthcare, food manufacturers, the logistics and transport industries, education, defence, and communications – all examples of key sectors that affect the very fabric of how the world runs. As a result tomorrow is too late to start looking at the risk to DCOT, which underpins the facilities and organisations need to act fast.
Sadly, our connected world has become a lucrative playground for criminals who can launch attacks on victims in multiple countries and jurisdictions, with little fear of being caught.
Mike West is the CEO at DIAL Ltd, the specialist company that provides a range of advisory and cyber security services to corporates, investment funds and owners and operators in the data centre market and the wider digital infrastructure arena.